CVE-2025-8891

Name of the Vulnerable Software and Affected Versions: OceanWP versions 4.0.9 through 4.1.1

Description: The OceanWP theme for WordPress is susceptible to Cross-Site Request Forgery due to insufficient nonce validation within the oceanwp notice button click() function. This allows unauthenticated attackers to potentially install the Ocean Extra plugin by exploiting a forged request, contingent upon deceiving a site administrator into performing an action.

Recommendations: Update OceanWP to a version later than 4.1.1.